You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/08/11 15:27:02 UTC
[GitHub] [pulsar] hpvd opened a new issue, #17069: Automatic Scan for CWEs (additional to CVEs)
hpvd opened a new issue, #17069:
URL: https://github.com/apache/pulsar/issues/17069
### Search before asking
- [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar.
### Motivation
Since https://github.com/apache/pulsar/pull/10855 we are doing dependency scans for vulnerabilities (CVEs =Common Vulnerabilities and Exposures) on regular basis. That's really great!
Like always there is more one can do. We could also scan for C**W**Es...
### Solution
Github allows for open source projects like pulsar, the free usage of CodeQL.
This tool tries to spot the C**W**Es (CommonWeaknesses) in Software written in different languages (and Hardware), see https://cwe.mitre.org/
> If you haven’t heard of [CodeQL](https://codeql.github.com/), it’s GitHub’s static code analysis engine that treats code like data and makes it queryable. Then, using a growing library of open source queries corresponding to known security vulnerability patterns, CodeQL scans your code to identify any potential issues.
The usage seems to be the same as the CVE Scanner we use, simply be github action and uploading an report in the end
For setup see: https://github.com/github/codeql-action
Would be really interesting to give it a test run on a small component of pulsar and see if it can catch anything valuable without too many false positives.
### Alternatives
_No response_
### Anything else?
_No response_
### Are you willing to submit a PR?
- [ ] I'm willing to submit a PR!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] github-actions[bot] commented on issue #17069: Automatic Scan for CWEs (additional to CVEs scans)
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on issue #17069:
URL: https://github.com/apache/pulsar/issues/17069#issuecomment-1242849515
The issue had no activity for 30 days, mark with Stale label.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org